I recently distributed an informal survey to various cyber security professionals to gauge the current skills needed for recent graduates to enter the workforce in a junior security role. The survey received 100 responses and I give my sincere thanks to all that participated. The purpose of the survey is to: 1) aid instructors in ensuring their curriculum measures up to industry expectations, and 2) present students and recent graduates with guidelines of areas they should put more self-study effort into.
There has been a lot of discussion lately surrounding a skills shortage in the information security field. Certification group ISACA recently remarked of a potential global shortage of 2 million security professionals by 2019. Part of the problem appears to revolve around companies hiring experienced professionals already in the industry as opposed to bringing in fresh talent due to a general feeling of a lack of basic IT and security skills among recent graduates.
The below chart details how important industry professionals felt each skill was for a recent graduate looking to enter the field. Overwhelmingly, core security concepts was rated as the most needed skill for students/grads:
Additionally, respondents were asked to provide any other skills not listed above that they felt were vital for students to have practical experience in and to mention any specific skills they have noticed recent grads appear to lack:
A lack of soft skills (speaking/presentations, report writing, team work, etc.) among recent graduates was the most prevalent remark from professionals. One respondent remarked that they could teach every skill listed above in 6-12 months but the soft skills are the most difficult to teach.
Industry professionals note that many recent graduates appear to be less adept in core security concepts (confidentiality, integrity, availability, access control, social engineering, risk analysis concepts, etc.) and also lack practical experience and knowledge in basic IT skills such as formatting a hard drive, system administration as well as utilizing the command line in Windows and Linux, basic networking knowledge, using scripting languages, troubleshooting/critical thinking, etc. Respondents agreed that students will not be able to understand security concepts without having basic requisite knowledge first.
The industry wants to hire students that have a passion for knowledge and work hard to figure out solutions to practical problems.
Other details and statistics from the survey are listed below but a few highlights include:
73% of information security professionals would hire smart and inquisitive students that demonstrated knowledge in the needed skills directly into a junior security role and be willing to mentor them. 27% of the surveyed professionals stated they would require recent graduates to work in the help desk or a server/network administration role prior to placing them into an entry-level security role to gain skills in which they may be lacking.
A security internship is the best way for a student to gain entry into a junior information security role followed by attending local meetups.
Current students as well as recent graduates of information security programs should take note of these suggestions from industry. Security professionals are willing to hire you and help you fill in your knowledge gaps. You must take the first step though to ensure you understand the basics. If you are not familiar with networking concepts, Linux, or the Windows command line, there are an abundance of online resources and books to help you catch up.
The students who keep quiet in class, never answer questions, or do not participate in discussions need to also step up their game. Finding a local Toastmasters club, joining an information security meetup and volunteering to give a presentation, starting a university security chapter, and simply taking time to make phone calls (as opposed to limiting all communications to texting) will only help you to develop better communication skills.
It may seem difficult to land an entry level job in information security as company job postings often appear to require that even an entry level position require an abundance of full time work experience. The industry could help this situation by ensuring HR is adequately mapping requirements to positions. (An entry level security position should not require a CISSP which requires 4-5 years of work experience to attain.)
Students: professionals have spoken as to what they want in a recent graduate and are willing to train you. If you want these jobs, get studying, learn the basics, figure out a way to get your foot in the door, and take them. If you don't have the requisite skills and are passionate about infosec, then don't be afraid to build a foundation in another entry level role and gradually transition into a security position.
Other charts from the survey:
Lastly, security professionals gave additional feedback regarding books and other online resources they would recommend to students and recent graduates which can be accessed from the below Google Sheet:
Infosecurity Magazine wrote a follow up story which can be viewed here.